Interesting validation framework

The most important part of developing secure (and robust) systems is to validate all input that comes from the outside (and for large systems, even between components). However, writing validation code isn’t usually very fun, and so like many other good practices, validating your input sometimes is neglected. If you develop in ASP.NET or Winforms, there are some validation controls that help you a little bit, but they don’t provide out-of-the box protection against XSS attacks, SQL injection, UTF-8 canonicalization problems and so on. To guard against things like that you need to write your own validation code.

In this article, Mathew Nolton describes a validation framework that lets you use custom attributes to do most of the heavy lifting, essentially providing declarative validation. This stuff is very cool, and another fine example of just how useful custom attributes in .Net can be.

I think the following method signature gives you an idea of how it works:

public void SomeMethod ( 
		[RegExAttribute("[a,e,i,o,u]",RegexOptions.None)]
                   string someParameter)


Together with some boilerplate code (which could be autoinserted by your editor), this ensures that if someParameter ever contains anything but the letters a,e,i,o,u, a ValidationException is thrown.